-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: openssl s_client debug mode for ssl_integration_test. #5092
Conversation
This makes life easier when debugging SSL handshake issues. Risk Level: Low Testing: ssl_integration_test with debug and !debug. Signed-off-by: Harvey Tuch <htuch@google.com>
protected: | ||
// Set this true to debug SSL handshake issues with openssl s_client. The | ||
// verbose trace will be in the logs, openssl must be installed separately. | ||
bool debug_with_s_client_{false}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we use the @borignssl//:bssl
cc_binary? Then this is self-contained.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it seems like it would be a better option, but it turns out that bssl
is a bit impoverished when it comes to debug output. Take a look at this comparison: https://gist.github.com/htuch/a440a4edfaa059bc83647f3f3cd7083e (there are two files there, one for openssl with max debug, another for bssl). I think when chasing down very low level handshake issues in these tests, having the full openssl s_client
output at disposal is the most helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What information missing in the bssl
output is useful to you? Or more generally, what information from the openssl
output is useful to you?
I have a PR stashed somewhere that adds trace logs during handshake (from TLS socket, not external binary), but it's even more minimal than output from bssl
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Take a look at the gist I link to. openssl gives you a running commentary of different parts of the handshake, it dumps cert details and even the low level hex is sometimes interesting IMHO. Since this is a debug-only setting for one particular test, I'm hoping it's not too controversial :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know what's the difference... What I'm asking is which of that extra information was actually helpful to you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, seeing the decoded certificate types, cipher suites, CNs, signing chains before connection completes was helpful; this was a situation in which handshake failed but I still wanted to see what was on the wire. Also, since I am relatively new to the low-level details of the TLS handshake, being able to see where the failure occurred and what the exact TLS frame looked like was interesting from a grokking perspective.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Friendly ping, can we merge this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay, I'm OOO this week. Yeah I think it's fair to use openssl
.
…xy#5092) This makes life easier when debugging SSL handshake issues. Part of envoyproxy#1319. Risk Level: Low Testing: ssl_integration_test with debug and !debug. Signed-off-by: Harvey Tuch <htuch@google.com> Signed-off-by: Fred Douglas <fredlas@google.com>
This makes life easier when debugging SSL handshake issues.
Part of #1319.
Risk Level: Low
Testing: ssl_integration_test with debug and !debug.
Signed-off-by: Harvey Tuch htuch@google.com